sydnix/modules/nixos/deertopia/lldap.nix

{ config, lib, pkgs, ... }:

let cfg = config.sydnix.deertopia.lldap;
in {
  options.sydnix.deertopia.lldap = {
    enable = lib.mkEnableOption ''
      Deertopia's lldap, a lightweight authentication server that provides an
      opinionated, simplified LDAP interface for authentication.
    '';
    baseDN = lib.mkOption {
      type = lib.types.str;
      default = "dc=deertopia,dc=net";
    };
  };

  imports = [
    ./lldap/pam.nix
  ];

  config = lib.mkIf cfg.enable {
    # HACK: Why doesn't the lldap module do this?  Sops-nix fails to set the
    # secrets' owner as the user does not yet exist.
    users.users.lldap = {
      isSystemUser = true;
      group = "lldap";
    };

    users.groups.lldap = {};

    sydnix.impermanence.directories = [
      "/var/lib/private/lldap"
    ];

    sydnix.sops.secrets =
      let e = {
            mode = "0440";
            owner = "lldap";
            group = "lldap";
          };
      in {
        lldap-ldap-user-pass = e;
        lldap-jwt-secret = e;
        lldap-secret-env = {};
        lldap-ldaps-key = e;
      };

    networking.firewall.allowedTCPPorts = [
      config.services.lldap.settings.http_port
      config.services.lldap.settings.ldap_port
      config.services.lldap.settings.ldaps_options.port
    ];

    services.lldap = {
      enable = true;
      environment = {
        LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
        LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
        LLDAP_LDAPS_OPTIONS__ENABLED = "true";
      };
      environmentFile = "/run/secrets/lldap-secret-env";
      settings = {
        ldap_base_dn = cfg.baseDN;
        ldap_user_dn = "lain";
        ldap_user_email = "lain@deertopia.net";
        ldaps_options = {
          enabled = true;
          port = 6360;
          cert_file = ./lldap/cert.pem;
          key_file = "/run/secrets/lldap-ldaps-key";
        };
      };
    };

    sydnix.deertopia.nginx.vhosts."identify".vhost = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass =
          let port = builtins.toString config.services.lldap.settings.http_port;
          in "http://localhost:${port}";
      };
    };

    services.nginx.proxyCachePath."cache/" = {
      enable = true;
      keysZoneName = "auth_cache";
    };
  };
}